Merge pull request #280811 from ivywei0125/yuwe/azconfig_rotate_key

[App Configuration] Add docs for key rotation

Author: ttorble

articles/azure-app-configuration/TOC.yml

@@ -211,7 +211,7 @@
           href: concept-enable-rbac.md
         - name: Assign an Azure Managed Identity
           href: overview-managed-identity.md
-        - name: Disable access key authentication
+        - name: Manage access key authentication
           href: howto-disable-access-key-authentication.md
         - name: Security controls by Azure Policy
           href: ./security-controls-policy.md

articles/azure-app-configuration/howto-disable-access-key-authentication.md

@@ -1,43 +1,108 @@
 ---
-title: Disable access key authentication for an Azure App Configuration instance
+title: Manage access key authentication for an Azure App Configuration instance
 titleSuffix: Azure App Configuration
-description: Learn how to disable access key authentication for an Azure App Configuration instance.
+description: Learn how to manage access key authentication for an Azure App Configuration instance.
 ms.service: azure-app-configuration
 author: maud-lv
 ms.author: malev
 ms.topic: how-to
 ms.date: 04/05/2024
 ---
 
-# Disable access key authentication for an Azure App Configuration instance
+# Manage access key authentication for an Azure App Configuration instance
 
-Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Microsoft Entra credentials, or by using an access key. Of these two types of authentication schemes, Microsoft Entra ID provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource.
+Every request to an Azure App Configuration resource must be authenticated. By default, requests can be authenticated with either Microsoft Entra credentials, or by using an access key. Of these two types of authentication schemes, Microsoft Entra ID provides superior security and ease of use over access keys, and is recommended by Microsoft. To require clients to use Microsoft Entra ID to authenticate requests, you can disable the usage of access keys for an Azure App Configuration resource. If you want to use access keys to authenticate the request, it's recommended to rotate access keys every 90 days to enhance security.
 
-When you disable access key authentication for an Azure App Configuration resource, any existing access keys for that resource are deleted. Any subsequent requests to the resource using the previously existing access keys will be rejected. Only requests that are authenticated using Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concept-enable-rbac.md).
+## Enable access key authentication
 
-## Disable access key authentication
-
-Disabling access key authentication will delete all access keys. If any running applications are using access keys for authentication, they will begin to fail once access key authentication is disabled. Enabling access key authentication again will generate a new set of access keys and any applications attempting to use the old access keys will still fail.
+Access key is enabled by default, you can use access keys in your code to authenticate requests.
 
 > [!WARNING]
 > If any clients are currently accessing data in your Azure App Configuration resource with access keys, then Microsoft recommends that you migrate those clients to [Microsoft Entra ID](./concept-enable-rbac.md) before disabling access key authentication.
 
 # [Azure portal](#tab/portal)
 
+To allow/disallow access key authentication for an Azure App Configuration resource in the Azure portal, follow these steps:
+
+1. Navigate to your Azure App Configuration resource in the Azure portal.
+1. Locate the **Access settings** setting under **Settings**.
+
+    :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade.":::
+
+1. Set the **Enable access keys** toggle to **Enabled**.
+
+    :::image type="content" border="true" source="./media/enable-access-keys.png" alt-text="Screenshot showing how to enable access key authentication for Azure App Configuration.":::
+
+# [Azure CLI](#tab/azure-cli)
+
+To enable access keys for Azure App configuration resource, use the following command. The `--disable-local-auth` option is set to "false" for enable local auth. 
+
+```azurecli-interactive
+az appconfig update \
+    --name <app-configuration-name> \
+    --resource-group <resource-group> \
+    --disable-local-auth false
+```
+
+---
+
+### Verify that access key authentication is enabled
+
+To verify if access key authentication is enabled, check if you're able to get a list of read and read-write access keys. This list will only exist if access key authentication is enabled.
+
+# [Azure portal](#tab/portal)
+
+To check if access key authentication is enabled for an Azure App Configuration resource in the Azure portal, follow these steps:
+
+1. Navigate to your Azure App Configuration resource in the Azure portal.
+1. Locate the **Access settings** setting under **Settings**.
+
+    :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade.":::
+
+1. Check if there are access keys displayed and if the toggled state of **Enable access keys** is enabled.
+
+    :::image type="content" border="true" source="./media/get-access-keys-list.png" alt-text="Screenshot showing access keys for an Azure App Configuration resource.":::
+
+# [Azure CLI](#tab/azure-cli)
+
+To check if access key authentication is enabled for an Azure App Configuration resource, use the following command. The command will list the access keys for an Azure App Configuration resource.
+If access key authentication is enabled, then read access keys and read-write access keys will be returned.
+
+```azurecli-interactive
+az appconfig credential list \
+    --name <app-configuration-name> \
+    --resource-group <resource-group>
+```
+
+---
+
+## Disable access key authentication
+
+Disabling access key authentication will delete all access keys. If any running applications are using access keys for authentication, they will begin to fail once access key authentication is disabled. Only requests that are authenticated using Microsoft Entra ID will succeed. For more information about using Microsoft Entra ID, see [Authorize access to Azure App Configuration using Microsoft Entra ID](./concept-enable-rbac.md). Enabling access key authentication again will generate a new set of access keys and any applications attempting to use the old access keys will still fail.
+
+# [Azure portal](#tab/portal)
+
 To disallow access key authentication for an Azure App Configuration resource in the Azure portal, follow these steps:
 
 1. Navigate to your Azure App Configuration resource in the Azure portal.
-2. Locate the **Access settings** setting under **Settings**.
+1. Locate the **Access settings** setting under **Settings**.
 
     :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade.":::
 
-3. Set the **Enable access keys** toggle to **Disabled**.
+1. Set the **Enable access keys** toggle to **Disabled**.
 
     :::image type="content" border="true" source="./media/disable-access-keys.png" alt-text="Screenshot showing how to disable access key authentication for Azure App Configuration":::
 
 # [Azure CLI](#tab/azure-cli)
 
-The capability to disable access key authentication using the Azure CLI is in development.
+To disable access keys for Azure App configuration resource, use the following command. The `--disable-local-auth` option is set to "true" for disable local auth. 
+
+```azurecli-interactive
+az appconfig update \
+    --name <app-configuration-name> \
+    --resource-group <resource-group> \
+    --disable-local-auth true
+```
 
 ---
 
@@ -50,31 +115,24 @@ To verify that access key authentication is no longer permitted, a request can b
 To verify access key authentication is disabled for an Azure App Configuration resource in the Azure portal, follow these steps:
 
 1. Navigate to your Azure App Configuration resource in the Azure portal.
-2. Locate the **Access settings** setting under **Settings**.
+1. Locate the **Access settings** setting under **Settings**.
 
     :::image type="content" border="true" source="./media/access-settings-blade.png" alt-text="Screenshot showing how to access an Azure App Configuration resources access key blade.":::
 
-3. Verify there are no access keys displayed and **Enable access keys** is toggled to **Disabled**.
+1. Check that there are no access keys displayed and the toggled state of **Enable access keys** is off.
 
     :::image type="content" border="true" source="./media/disable-access-keys.png" alt-text="Screenshot showing access keys being disabled for an Azure App Configuration resource":::
 
 # [Azure CLI](#tab/azure-cli)
 
-To verify access key authentication is disabled for an Azure App Configuration resource in the Azure portal, use the following command. The command will list the access keys for an Azure App Configuration resource and if access key authentication is disabled the list will be empty.
+To verify access key authentication is disabled for an Azure App Configuration resource, use the following command. The command will list the access keys for an Azure App Configuration resource and if access key authentication is disabled the list will be empty.
 
 ```azurecli-interactive
 az appconfig credential list \
     --name <app-configuration-name> \
     --resource-group <resource-group>
 ```
 
-If access key authentication is disabled, then an empty list will be returned.
-
-```
-C:\Users\User>az appconfig credential list -g <resource-group> -n <app-configuration-name>
-[]
-```
-
 ---
 
 ## Permissions for allowing or disallowing access key authentication
@@ -96,6 +154,25 @@ Be careful to restrict assignment of these roles only to those users who require
 > [!NOTE]
 > When access key authentication is disabled and [ARM authentication mode](./quickstart-deployment-overview.md#azure-resource-manager-authentication-mode) of App Configuration store is local, the capability to read/write key-values in an [ARM template](./quickstart-resource-manager.md) will be disabled as well. This is because access to the Microsoft.AppConfiguration/configurationStores/keyValues resource used in ARM templates requires access key authentication with local ARM authentication mode. It's recommended to use pass-through ARM authentication mode. For more information, see [Deployment overview](./quickstart-deployment-overview.md).
 
+## Rotate access key
+Microsoft recommends that you rotate your access keys periodically to help keep your resource secure. If possible, use Azure Key Vault to manage your access keys. If you are not using Key Vault, you will need to rotate your keys manually.
+
+Each Azure App Configuration resource has two access keys to enable secret rotation. This is a security precaution that lets you regularly change the keys that can access your service, protecting the privacy of your resource if a key gets leaked. The recommended rotation cycle is 90 days.
+
+You can rotate keys using the following procedure:
+
+1. If you're using both keys in production, change your code so that only one access key is in use. In this example, let's say you decide to keep using your store's primary key.
+You must have only one key in your code, because when you regenerate your secondary key, the older version of that key will stop working immediately, causing clients using the older key to get 401 access denied errors.
+
+1. Once the primary key is the only key in use, you can regenerate the secondary key. Go to your resource's page on the Azure portal, open the **Settings** > **Access settings** menu, and select **Regenerate** under **Secondary key**.
+
+1. Next, update your code to use the newly generated secondary key.
+It helps to have logs or availability to check that users of the key have successfully swapped from using the primary key to the secondary key before you proceed.
+
+1. Now you can regenerate the primary key using the same process.
+
+1. Finally, update your code to use the new primary key.
+
 ## Next steps
 
 - [Use customer-managed keys to encrypt your App Configuration data](concept-customer-managed-keys.md)